The ravings of a SANS/GIAC GSE (Compliance & Malware)
For more information on my role as a presenter and commentator on IT Security, Digital Forensics Statistics and Data Mining;
E-mail me: "craigswright @ acm.org".

Dr. Craig S Wright GSE

Followers

My Profile

Share it

What is happening

BooksI have a few books and another is on the way for 2012. Firstly, I have to plug the first in the Syngress Series of books on IT Audit. This is a comprehensive compliance hand governance handbook with EVERYTHING (from the high level to the hands on for the expert) to get you started in IT compliance and systems security. The main book is "IT REGULATORY AND STANDARDS COMPLIANCE HANDBOOK". This is the first in a series I have planned and more will follow in time. There will be electronic updates to this book over time to maintain it to a current level over time.

I will be working on co-authoring a book on CIP (Critical Infrastructure Protection) - but more on this later.

On top of this I recycle computers. To do this I take 1.5 to 2 year old corporate lease computers and refurbish them so that they can run the most current programs.

The question is - what do you do to help?

If you do not have the time, have you though about a donation?

This blog has been monetarised. This is where the money goes. By clicking and purchasing on this site, you help Burnside and Hackers for Charity. All monies earned here are split 50/50 between these two charities.

Who I am...or what...

Visitor locations

Sunday, 25 September 2011

In the nature of getting myself into trouble I have decided to write a little personal anecdote. As anybody who has read my posts and more will quickly determine, I am outspoken and at times far from diplomatic, but these are never the things that had me in trouble the most.
It was usually silly things that I should have shut up about if I really cared for my career more than security that are the bane of my life.
I do not usually wear a watch, but in this tale, I had one on. It was an interesting watch, it had a Bluetooth mobile and a 512MB USB hard drive but looked just like a normal every day watch.
A ways back, I was contracting through a company I owned with CSC and DFAT. Fun stuff such as “Advice on Information Technology Security” . That much is public information and that is about as far as it needs to be said and is as far as I will say as it is not at all important here.
Well to the story, I was working in a data centre and comms centre in Forrest. One of the fun places that have the blue cables in gas filled tubes and have loads of copper throughout as to create a faraday cage to DSD Tempest specs.
I did the normal stuff and wasted the normal long amount of time getting in through the man-trap and having the scanner go off many times as they are too sensitive. Side note, I have several chunks of metal in me that are now “me” due to the collections of broken bones I have accrued in the years I have walked this earth.
I did the pad down and wondered just how friendly the guard was getting. They took my phone, issued me with a laptop to work on (as I could not take my own in) and gave me the general spiel of how and what for the location I was working in that week. Basic things that I knew already like “if the person has more tinsel than a Christmas tree, do not bother him just agree”.
Well, the watch was left on and I forgot it. Completely by accident, but it was on all day as I was left alone in a data centre hosting A*** data for a number of 4 letter agencies. Here in Oz we have 4 letter agency names to demonstrate that we are good
I did a full day playing with a number of Unix and VMS systems (real Unix and not Linux) and finished up. I did the pad down, left and was in a meeting room outside the secure area doing a debrief on what we had configured etc. when I was dumb enough to pipe up and say…
“Oh, I forgot to say my watch has a hard drive in it…”
Shite, fan… I need not say too much.
I was still in my 20’s at this point, young and stupid (stupider than now even). I managed to spend a couple hours with a few people who did not seem really happy. I personally think it was too much starch in their laundry.
If I was smart, I would have shut up at that point and it would have passed. But being a 20-something at the time, after being told that I could not take a drive into this facility and that if I had left with it and not been stopped (so much for saying I had it) it would have been a felony, I was dumb enough to say, “what is the big deal. I can just send and receive data over the Net”
The response was normal…
“Don’t be daft kid we are air gapped. Nothing goes in or out.”
Now, if you ever want to see a Brigadier go funny colours just say what I did…
“How do you think I got the firmware updates? We just made an SSH tunnel over TCP 53 and proxied HTTP to the Sun website.”
Then there was a gap as this was explained in detail, all the time the colours on the faces were amazing.
Not naming names here and nor will I even when plied with drink, but basically, some of the CSC guys I worked with also did the Telstra tower and worked in TS and general systems. They needed to manage these and the budget only allowed them to do so much.
So, they had implemented TCP 53 outgoing from anything on the firewall. All the auditors missed this. It was simply DNS and so nothing was ever noted in a single report.
So, not that I have said as much as I could to make this clear and though in some ways I have said too much and can expect to end up berated yet again, I will say, there are no air gapped systems.

Air gaps do not work.

Data diodes do not work.

If you are placing your trust in this, you are already done.

Even in TS cleared faraday controlled bases with no links, there are links. I have seem so many kludges connecting SIPPER and NIPPER networks in the US it is not funny and they have links to us here in Oz as well.
So, the things we do to try and ruin our careers.
Then, at least unlike Stephen Northcutt, I never managed to take down a battle ship.